您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 托管应用程序概述Azure managed applications overview

使用 Azure 托管应用程序,可以提供可让使用者轻松部署和操作的云解决方案。Azure managed applications enable you to offer cloud solutions that are easy for consumers to deploy and operate. 可实施基础结构并提供持续支持。You implement the infrastructure and provide ongoing support. 若要向所有客户提供托管应用程序,可将其发布到 Azure 市场。To make a managed application available to all customers, publish it in the Azure marketplace. 如果只希望组织中的用户使用托管应用程序,可将其发布到内部目录。To make it available to only users in your organization, publish it to an internal catalog.

托管应用程序类似于市场中的解决方案模板,但有一个重大差异。A managed application is similar to a solution template in the Marketplace, with one key difference. 在托管应用程序中,资源将部署到由应用发布者管理的资源组。In a managed application, the resources are deployed to a resource group that's managed by the publisher of the app. 资源组在使用者的订阅中,但发布者租户中的标识有权访问该资源组。The resource group is present in the consumer's subscription, but an identity in the publisher's tenant has access to the resource group. 发布者指定解决方案的持续支持费用。As the publisher, you specify the cost for ongoing support of the solution.

备注

以前,Azure 自定义提供程序的文档包含在托管应用程序的文档中。Formerly, the documentation for Azure Custom Providers was included with the documentation for Managed Applications. 但该文档现已改变位置。That documentation has been moved. 现在,请参阅 Azure 自定义提供程序Now, see Azure Custom Providers.

托管应用程序的优点Advantages of managed applications

托管应用程序降低了解决方案使用者面临的壁垒。Managed applications reduce barriers to consumers using your solutions. 他们不需要云基础结构的专业知识即可使用你的解决方案。They don't need expertise in cloud infrastructure to use your solution. 使用者对关键资源的访问权限有限,在管理时不必担心会出错。Consumers have limited access to the critical resources, don't need to worry about making a mistake when managing it.

使用托管应用程序能够与使用者建立持续的关系。Managed applications enable you to establish an ongoing relationship with your consumers. 可以定义有关管理应用程序的条款,所有费用通过 Azure 计费系统进行处理。You define terms for managing the application, and all charges are handled through Azure billing.

尽管客户将这些托管应用程序部署在他们自己的订阅中,但不需要维护、更新或修复这些应用程序。Although customers deploy these managed applications in their subscriptions, they don't have to maintain, update, or service them. 可以确保所有客户均使用批准的版本。You can make sure that all customers are using approved versions. 客户不需要培养应用程序特定的域方面的知识就能管理这些应用程序。Customers don't have to develop application-specific domain knowledge to manage these applications. 客户可以自动获取应用程序更新,而无需担心如何排查和诊断应用程序问题。Customers automatically acquire application updates without the need to worry about troubleshooting and diagnosing issues with the applications.

IT 团队可以使用托管应用程序为组织中的用户提供预先批准的解决方案。For IT teams, managed applications enable you to offer pre-approved solutions to users in the organization. 你知道这些解决方案符合组织标准。You know these solutions are compliant with organizational standards.

托管应用程序支持 Azure 资源的托管标识Managed Applications support managed identities for Azure resources.

托管应用程序的类型Types of managed applications

可在外部或内部发布托管应用程序。You can publish your managed application either externally or internally.

在发布或外部发布

服务目录Service catalog

服务目录是为组织中的用户提供的已批准解决方案内部目录。The service catalog is an internal catalog of approved solutions for users in an organization. 可以使用该目录来确保满足组织标准,同时让他们为组织提供解决方案。You use the catalog to meet organizational standards while they offering solutions for the organizations. 员工可以使用目录轻松找到 IT 部门推荐和批准的应用程序。Employees use the catalog to easily find applications that are recommended and approved by their IT departments. 他们可以看到组织中其他人员与他们共享的托管应用程序。They see the managed applications that other people in their organization share with them.

有关发布服务目录托管应用程序的信息,请参阅创建服务目录应用程序For information about publishing a Service Catalog managed application, see Create service catalog application.

市场Marketplace

希望为服务计费的供应商可以通过 Azure 市场提供托管应用程序。Vendors wishing to bill for their services can make a managed application available through the Azure marketplace. 供应商发布应用程序后,该应用程序可供组织外部的用户使用。After the vendor publishes an application, it's available to users outside the organization. 通过这种方法,托管服务提供商 (MSP)、独立软件供应商 (ISV) 和系统集成商 (SI) 可向所有 Azure 客户提供其解决方案。With this approach, managed service providers (MSPs), independent software vendors (ISVs), and system integrators (SIs) can offer their solutions to all Azure customers.

有关将托管应用程序发布到市场的信息,请参阅创建市场应用程序For information about publishing a managed application to the Marketplace, see Create marketplace application.

托管应用程序的资源组Resource groups for managed applications

通常,托管应用程序的资源位于两个资源组中。Typically, the resources for a managed application are in two resource groups. 使用者管理一个资源组,发布者管理另一个资源组。The consumer manages one resource group, and the publisher manages the other resource group. 定义托管应用程序时,发布者可指定访问级别。When defining the managed application, the publisher specifies the levels of access. 发布者可以请求永久角色分配,也可以请求实时访问限制在某个时间段内的分配。The publisher can request either a permanent role assignment, or just-in-time access for an assignment that is constrained to a time period.

目前,Azure 中的所有数据提供程序都不支持限制数据操作的访问。Restricting access for data operations is currently not supported for all data providers in Azure.

下图显示了发布者请求托管资源组所有者角色的方案。The following image shows a scenario where the publisher requests the owner role for the managed resource group. 发布者在此资源组中针对使用者放置了一个只读锁。The publisher placed a read-only lock on this resource group for the consumer. 授予对托管资源组的访问权限的发布者标识不受该锁控制。The publisher's identities that are granted access to the managed resource group are exempt from the lock.

资源组访问权限

应用程序资源组Application resource group

此资源组保存托管应用程序实例。This resource group holds the managed application instance. 此资源组只能包含一个资源。This resource group may only contain one resource. 托管应用程序的资源类型为 Microsoft.Solutions/applicationsThe resource type of the managed application is Microsoft.Solutions/applications.

使用者对资源组拥有完全访问权限,可以使用它来管理托管应用程序的生命周期。The consumer has full access to the resource group and uses it to manage the lifecycle of the managed application.

托管资源组Managed resource group

此资源组包含托管应用程序所需的所有资源。This resource group holds all the resources that are required by the managed application. 例如,此资源组包含解决方案的虚拟机、存储帐户和虚拟网络。For example, this resource group contains the virtual machines, storage accounts, and virtual networks for the solution. 使用者对此资源组拥有有限的访问权限,因为使用者不会管理托管应用程序的单个资源。The consumer has limited access to this resource group because the consumer doesn't manage the individual resources for the managed application. 发布者对此资源组的访问权限对应于托管应用程序定义中指定的角色。The publisher's access to this resource group corresponds to the role specified in the managed application definition. 例如,发布者可以请求此资源组的“所有者”或“参与者”角色。For example, the publisher might request the Owner or Contributor role for this resource group. 访问权限可以是永久性的,也可以限制为特定的时间。The access is either permanent or limited to a specific time.

托管应用程序发布到市场时,发布者可以授予使用者对托管资源组中的资源执行特定操作的能力。When publishing the managed application to the marketplace, the publisher can grant consumers the ability to perform specific actions on resources in the managed resource group. 例如,发布者可以指定使用者可以重启虚拟机。For example, the publisher can specify that consumers can restart virtual machines. 仍拒绝除读取操作外的其他所有操作。All other actions beyond read actions are still denied.

当使用者删除托管应用程序时,也会一并删除托管资源组。When the consumer deletes the managed application, the managed resource group is also deleted.

Azure PolicyAzure Policy

可以向托管应用程序应用 Azure PolicyYou can apply an Azure Policy to your managed application. 可以应用策略以确保托管应用程序的已部署实例满足数据和安全要求。You apply policies to make sure deployed instances of your managed application fulfill data and security requirements. 如果应用程序与敏感数据进行交互,请确保你已评估应当如何对该数据进行保护。If your application interacts with sensitive data, make sure you've evaluated how that should be protected. 例如,如果应用程序与来自 Office 365 的数据进行交互,请应用策略来确保启用数据加密。For example, if your application interacts with data from Office 365, apply a policy to make sure data encryption is enabled.

后续步骤Next steps

在本文中,你了解了使用托管应用程序的好处。In this article, you learned about benefits of using managed applications. 请转到下一篇文章以创建托管应用程序定义。Go to the next article to create a managed application definition.